Changeset 2986360

Timestamp:

10/30/2023 06:26:04 PM (2 years ago)

Author:

datafeedr.com

Message:

Update to version 0.9.68 from GitHub

Location:

datafeedr-comparison-sets

Files:

• tags/0.9.68 (copied) (copied from datafeedr-comparison-sets/trunk)
• tags/0.9.68/classes/class-dfrcs.php (modified) (1 diff)
• tags/0.9.68/datafeedr-comparison-sets.php (modified) (2 diffs)
• tags/0.9.68/includes/actions.php (modified) (8 diffs)
• tags/0.9.68/includes/functions.php (modified) (1 diff)
• tags/0.9.68/readme.txt (modified) (2 diffs)
• trunk/classes/class-dfrcs.php (modified) (1 diff)
• trunk/datafeedr-comparison-sets.php (modified) (2 diffs)
• trunk/includes/actions.php (modified) (8 diffs)
• trunk/includes/functions.php (modified) (1 diff)
• trunk/readme.txt (modified) (2 diffs)

datafeedr-comparison-sets/tags/0.9.68/classes/class-dfrcs.php

@@ -320 +320 @@
     private function set_encoded_source() {
         $source               = $this->source->original;
+        $signature            = dfrcs_hash_hmac( serialize( $source ) );
+        $source['signature']  = $signature;
         $source               = serialize( $source );
         $source               = base64_encode( $source );

datafeedr-comparison-sets/tags/0.9.68/datafeedr-comparison-sets.php

@@ -11 +11 @@
 Requires at least: 3.8
 Tested up to: 6.3.3-alpha
-Version: 0.9.67
+Version: 0.9.68
 
 WC requires at least: 3.0
@@ -43 +43 @@
  * Define constants.
  */
-define( 'DFRCS_VERSION', '0.9.67' );
+define( 'DFRCS_VERSION', '0.9.68' );
 define( 'DFRCS_DB_VERSION', '0.9.0' );
 define( 'DFRCS_URL', plugin_dir_url( __FILE__ ) );

datafeedr-comparison-sets/tags/0.9.68/includes/actions.php

@@ -1237 +1237 @@
     $request = $_REQUEST;
 
-    $request_source  = $request['source'];
-    $request_source  = base64_decode( $request_source );
+    $request_source = $request['source'];
+    $request_source = base64_decode( $request_source );
     $request_source = unserialize( $request_source, [ 'allowed_classes' => false, 'max_depth' => 1 ] );
 
@@ -1244 +1244 @@
     if ( ! is_array( $request_source ) ) {
         die();
+    }
+
+    $received_signature = $request_source['signature'];
+    unset( $request_source['signature'] );
+    $check_signature = dfrcs_hash_hmac( serialize( $request_source ) );
+
+    if ( ! hash_equals( $check_signature, $received_signature ) ) {
+        die( 'Invalid signature' );
     }
 
@@ -1274 +1282 @@
     check_ajax_referer( 'dfrcs_ajax_nonce', 'dfrcs_security' );
 
+    if ( ! dfrcs_can_manage_compset() ) {
+        die( 'Permission denied' );
+    }
+
     $request = $_REQUEST;
 
-    if ( ! isset( $request['hash'] ) || empty( $request['hash'] ) ) {
+    if ( empty( $request['hash'] ) ) {
         die();
     }
@@ -1290 +1302 @@
     if ( ! is_array( $source ) ) {
         die();
+    }
+
+    $received_signature = $source['signature'];
+    unset( $source['signature'] );
+    $check_signature = dfrcs_hash_hmac( serialize( $source ) );
+
+    if ( ! hash_equals( $check_signature, $received_signature ) ) {
+        die( 'Invalid signature' );
     }
 
@@ -1339 +1359 @@
     check_ajax_referer( 'dfrcs_ajax_nonce', 'dfrcs_security' );
 
+    if ( ! dfrcs_can_manage_compset() ) {
+        die( 'Permission denied' );
+    }
+
     global $wpdb;
 
@@ -1415 +1439 @@
     check_ajax_referer( 'dfrcs_ajax_nonce', 'dfrcs_security' );
 
+    if ( ! dfrcs_can_manage_compset() ) {
+        die( 'Permission denied' );
+    }
+
     global $wpdb;
 
@@ -1493 +1521 @@
     check_ajax_referer( 'dfrcs_ajax_nonce', 'dfrcs_security' );
 
+    if ( ! dfrcs_can_manage_compset() ) {
+        die( 'Permission denied' );
+    }
+
     global $wpdb;
 
@@ -1620 +1652 @@
     check_ajax_referer( 'dfrcs_ajax_nonce', 'dfrcs_security' );
 
+    if ( ! dfrcs_can_manage_compset() ) {
+        die( 'Permission denied' );
+    }
+
     if ( ! isset( $_REQUEST['hash'] ) ) {
-        echo 'no hash';
-        die;
+        die( 'Missing hash' );
     }
 

datafeedr-comparison-sets/tags/0.9.68/includes/functions.php

@@ -1414 +1414 @@
     return boolval( preg_match( '/^[a-f0-9]{32}$/', $md5 ) );
 }
+
+/**
+ * Returns the Comparison Sets Hash value to use in signed requests.
+ *
+ * This function will only return a valid MD5 hash. If the value returned
+ * from the database does not exist OR is an invalid MD5 hash, this
+ * function will create and save a new MD5 hash and return the new hash.
+ *
+ * @since 0.9.68
+ *
+ * @return string
+ */
+function dfrcs_get_hash(): string {
+
+    $option = 'dfrcs_hash';
+    $hash   = get_option( $option, false );
+
+    if ( dfrcs_is_valid_md5( $hash ) ) {
+        return $hash;
+    }
+
+    $password = wp_generate_password( 64, true, true );
+    $hash     = wp_hash( $password );
+
+    update_option( $option, $hash, false );
+
+    return $hash;
+}
+
+/**
+ * Return a "signature" for the $data.
+ *
+ * @since 0.9.68
+ *
+ * @param string $data
+ *
+ * @return bool|string
+ */
+function dfrcs_hash_hmac( string $data ): bool|string {
+    $algo = 'sha256';
+    $key  = dfrcs_get_hash();
+
+    return hash_hmac( $algo, $data, $key );
+}

datafeedr-comparison-sets/tags/0.9.68/readme.txt

@@ -9 +9 @@
 Requires at least: 3.8
 Tested up to: 6.3.3-alpha
-Stable tag: 0.9.67
+Stable tag: 0.9.68
 
 Automatically create price comparison sets for your WooCommerce products or by using a shortcode.
@@ -205 +205 @@
 
 == Changelog ==
+
+= 0.9.68 - 2023/10/30 =
+* Added `signed` encoded source values.
 
 = 0.9.67 - 2023/10/19 =

datafeedr-comparison-sets/trunk/classes/class-dfrcs.php

@@ -320 +320 @@
     private function set_encoded_source() {
         $source               = $this->source->original;
+        $signature            = dfrcs_hash_hmac( serialize( $source ) );
+        $source['signature']  = $signature;
         $source               = serialize( $source );
         $source               = base64_encode( $source );

datafeedr-comparison-sets/trunk/datafeedr-comparison-sets.php

@@ -11 +11 @@
 Requires at least: 3.8
 Tested up to: 6.3.3-alpha
-Version: 0.9.67
+Version: 0.9.68
 
 WC requires at least: 3.0
@@ -43 +43 @@
  * Define constants.
  */
-define( 'DFRCS_VERSION', '0.9.67' );
+define( 'DFRCS_VERSION', '0.9.68' );
 define( 'DFRCS_DB_VERSION', '0.9.0' );
 define( 'DFRCS_URL', plugin_dir_url( __FILE__ ) );

datafeedr-comparison-sets/trunk/includes/actions.php

@@ -1237 +1237 @@
     $request = $_REQUEST;
 
-    $request_source  = $request['source'];
-    $request_source  = base64_decode( $request_source );
+    $request_source = $request['source'];
+    $request_source = base64_decode( $request_source );
     $request_source = unserialize( $request_source, [ 'allowed_classes' => false, 'max_depth' => 1 ] );
 
@@ -1244 +1244 @@
     if ( ! is_array( $request_source ) ) {
         die();
+    }
+
+    $received_signature = $request_source['signature'];
+    unset( $request_source['signature'] );
+    $check_signature = dfrcs_hash_hmac( serialize( $request_source ) );
+
+    if ( ! hash_equals( $check_signature, $received_signature ) ) {
+        die( 'Invalid signature' );
     }
 
@@ -1274 +1282 @@
     check_ajax_referer( 'dfrcs_ajax_nonce', 'dfrcs_security' );
 
+    if ( ! dfrcs_can_manage_compset() ) {
+        die( 'Permission denied' );
+    }
+
     $request = $_REQUEST;
 
-    if ( ! isset( $request['hash'] ) || empty( $request['hash'] ) ) {
+    if ( empty( $request['hash'] ) ) {
         die();
     }
@@ -1290 +1302 @@
     if ( ! is_array( $source ) ) {
         die();
+    }
+
+    $received_signature = $source['signature'];
+    unset( $source['signature'] );
+    $check_signature = dfrcs_hash_hmac( serialize( $source ) );
+
+    if ( ! hash_equals( $check_signature, $received_signature ) ) {
+        die( 'Invalid signature' );
     }
 
@@ -1339 +1359 @@
     check_ajax_referer( 'dfrcs_ajax_nonce', 'dfrcs_security' );
 
+    if ( ! dfrcs_can_manage_compset() ) {
+        die( 'Permission denied' );
+    }
+
     global $wpdb;
 
@@ -1415 +1439 @@
     check_ajax_referer( 'dfrcs_ajax_nonce', 'dfrcs_security' );
 
+    if ( ! dfrcs_can_manage_compset() ) {
+        die( 'Permission denied' );
+    }
+
     global $wpdb;
 
@@ -1493 +1521 @@
     check_ajax_referer( 'dfrcs_ajax_nonce', 'dfrcs_security' );
 
+    if ( ! dfrcs_can_manage_compset() ) {
+        die( 'Permission denied' );
+    }
+
     global $wpdb;
 
@@ -1620 +1652 @@
     check_ajax_referer( 'dfrcs_ajax_nonce', 'dfrcs_security' );
 
+    if ( ! dfrcs_can_manage_compset() ) {
+        die( 'Permission denied' );
+    }
+
     if ( ! isset( $_REQUEST['hash'] ) ) {
-        echo 'no hash';
-        die;
+        die( 'Missing hash' );
     }
 

datafeedr-comparison-sets/trunk/includes/functions.php

@@ -1414 +1414 @@
     return boolval( preg_match( '/^[a-f0-9]{32}$/', $md5 ) );
 }
+
+/**
+ * Returns the Comparison Sets Hash value to use in signed requests.
+ *
+ * This function will only return a valid MD5 hash. If the value returned
+ * from the database does not exist OR is an invalid MD5 hash, this
+ * function will create and save a new MD5 hash and return the new hash.
+ *
+ * @since 0.9.68
+ *
+ * @return string
+ */
+function dfrcs_get_hash(): string {
+
+    $option = 'dfrcs_hash';
+    $hash   = get_option( $option, false );
+
+    if ( dfrcs_is_valid_md5( $hash ) ) {
+        return $hash;
+    }
+
+    $password = wp_generate_password( 64, true, true );
+    $hash     = wp_hash( $password );
+
+    update_option( $option, $hash, false );
+
+    return $hash;
+}
+
+/**
+ * Return a "signature" for the $data.
+ *
+ * @since 0.9.68
+ *
+ * @param string $data
+ *
+ * @return bool|string
+ */
+function dfrcs_hash_hmac( string $data ): bool|string {
+    $algo = 'sha256';
+    $key  = dfrcs_get_hash();
+
+    return hash_hmac( $algo, $data, $key );
+}

datafeedr-comparison-sets/trunk/readme.txt

@@ -9 +9 @@
 Requires at least: 3.8
 Tested up to: 6.3.3-alpha
-Stable tag: 0.9.67
+Stable tag: 0.9.68
 
 Automatically create price comparison sets for your WooCommerce products or by using a shortcode.
@@ -205 +205 @@
 
 == Changelog ==
+
+= 0.9.68 - 2023/10/30 =
+* Added `signed` encoded source values.
 
 = 0.9.67 - 2023/10/19 =